IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
来源:互联网 发布:手机有mac地址吗 编辑:程序博客网 时间:2024/05/21 09:49
原文地址:http://www.javvin.com/protocol8021X.html
The IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.
In the 802.1x architecture, there are three key components: 1) Supplicant: the user or client that wants to be authenticated; 2) The authentication server, typically a RADIUS server; 3) The authenticator: the device in between, such as a wireless access point, which can be simple and dumb.
The key protocol in 802.1x is called EAP over LANs (EAPOL). It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs (including FDDI). The operation process in 802.1X is as follow:
- The supplicant (such as a client wireless card) sends an "EAP-Response/Identity" packet to the authenticator (such as 802.11 access point), which is then passed on to the authentication server (RADIUS server which is located at the wired side of the access point).
- The authentication server sends back a challenge to the authenticator. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant.
- The supplicant responds to the challenge via the authenticator and passes the response onto the authentication server. The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type.
- If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed onto the supplicant. The authenticator now opens port for the supplicant to access to the LAN based on attributes that came back from the authentication server.
The 802.1X (EAPOL) protocol provides effective authentication regardless of whether you implement 802.11 WEP keys or no encryption at all. If configured to implement dynamic key exchange, the 802.1X authentication server can return session keys to the access point along with the accept message. The access point uses the session keys to build, sign and encrypt an EAP key message that is sent to the client immediately after sending the success message. The client can then use contents of the key message to define applicable encryption keys.
802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place. The specific EAP type resides on the authentication server and within the operating system or application software on the client devices. The access point acts as a "pass through" for 802.1X messages, which means that you can specify any EAP type without needing to upgrade an 802.1X-compliant access point.
Protocol Structure - IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
EAPOL Frame Format for 802.3/Ethernet:
2 bytes1 byte1 byte2 bytesVariablePAE Ethernet TypeProtocol versionPacket typePacket Body lengthPacket Body
- PAE Ethernet type- PAE (Port Access Entity) Ethernet type contains the Ethernet Type value assigned for use by the PAE.
- Protocol version - an unsigned binary number, which value is the version of the EAPOL protocol.
- Packet type- an unsigned binary number, which value determines the type of the packet as follows: a0 EAP-packet; b) EAPOL-Start; c) EAPOL-Logoff; d)EAPOL-Key; e) EAPOL-Encapsulated-ASF-Alert
- Packet body length- an unsigned binary, which value defines the length in octets of the packet body field.
- Packet Body - This field is presented if the packet type contains the value EAP-Packet, EAPOL-Key, or EAP-Encapsulated-ASF-Alert, otherwise, it is not presented.
EAPOL Frame Format for Token Ring /FDDI:
8 bytes1 byte1 byte2 bytesVariableSNAP Ethernet TypeProtocol versionPacket typePacket Body lengthPacket Body
- SNAP Ethernet Type- contains the SNAP-encoded Ethernet type encoded in the SNAP format as follows: 1-3 bytes carry the standard SNAP header; 4-6 bytes carry the SNAP PID; 7-8 bytes carry the PAE Ethernet Type value.
Related Protocols
Ethernet ,EAP , RADIUS , Token Ring
Sponsor Source
EAPOL (802.1X) is defined by IEEE (http://www.ieee.org ).
Reference
http://standards.ieee.org/getieee802/download/802.1X-2001.pdf : Port based Network Access Control
- IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
- EAPOL-----IEEE 802.1X
- IEEE 802.1x中的EAPOL
- LAN、WAN、WLAN、以太网
- lan
- LAN
- LAN WAN WLAN 的区别
- LAN、WAN和WLAN介绍
- IEEE 802.11 Wireless Lan Security
- 浅谈路由器的wan、lan、wlan口
- IEEE 802 LAN/MAN Standards Committee
- EAP Authentication Protocols for WLANs
- EAP Authentication Protocols for WLANs
- LAN MAC WAN MAC 和 WLAN MAC的关系
- LAN、WAN、WLAN、VLAN 和 VPN 的区别
- LAN、WAN、WLAN、VLAN和VPN的区别
- LAN、WAN、WLAN、VLAN和VPN的区别
- LAN、WAN、WLAN、VLAN 和 VPN 的区别
- JSTL标签(七)
- 吉哥系列故事——完美队形I
- 8#10 - 杭州邀请赛 重现
- OpenGL错误和性能Tips
- ArcGIS Server动态读取图层样式(Flex版)
- IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
- 关于C++中输入操作符(>>)返回输入流对象的的问题
- 浅谈HTTP中Get与Post的区别
- 如何编写高校的lua代码
- 吉哥系列故事——完美队形II
- json 死循环解决办法
- springmvc文件上传,使用它的MultipartHttpServletRequest,tomcat中正常,resion中报错
- 用Javascript取float型小数点后两位
- Java深入了解String对象
